agenttesla | 5b8ccfa10415999c180007db5d1ad1bb7b876914421ca65e11d0a39259128a8f

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
12-12-2023 16:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO OAU_DECQTRFA00541·PDF.scr
Size

876KB
MD5

db8fdd697dafaa4aeb307452d652e0ef
SHA1

2addcfa14726e4c3e049873f7cfe0f2d42a04923
SHA256

9a37e5fffbac484741276e5f1e6e3c69edb6de33844ee2d99c9ce3adcf5deca9
SHA512

27fe99a63ea198bdfd9cd20415b0bf5d4a607ac8351f6c4e45df2c771ab6c6f1f4e19d386dca06d548110297f88d4bf52a0ff0d0b25890c75d3feb2213ffc827
SSDEEP

12288:613dUDuaee2A+cOpyd3Xo9c7T2zA+ctdOdplOXTdxvbhecadhoSHwerwGdx:I1aL2LoXGjAMCkc+w

Score

10^/10

agenttesla zgrat keylogger rat spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.yandex.com
Port:
587
Username:
[email protected]
Password:
uymzbwhxnsbuprue
Email To:
[email protected]

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla

Detect ZGRat V1 35 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2368-2-0x0000000001F60000-0x0000000002008000-memory.dmp	family_zgrat_v1
behavioral1/memory/2368-5-0x0000000001F60000-0x0000000002002000-memory.dmp	family_zgrat_v1
behavioral1/memory/2368-4-0x0000000001F60000-0x0000000002002000-memory.dmp	family_zgrat_v1
behavioral1/memory/2368-7-0x0000000001F60000-0x0000000002002000-memory.dmp	family_zgrat_v1
behavioral1/memory/2368-11-0x0000000001F60000-0x0000000002002000-memory.dmp	family_zgrat_v1
behavioral1/memory/2368-9-0x0000000001F60000-0x0000000002002000-memory.dmp	family_zgrat_v1
behavioral1/memory/2368-17-0x0000000001F60000-0x0000000002002000-memory.dmp	family_zgrat_v1
behavioral1/memory/2368-19-0x0000000001F60000-0x0000000002002000-memory.dmp	family_zgrat_v1
behavioral1/memory/2368-15-0x0000000001F60000-0x0000000002002000-memory.dmp	family_zgrat_v1
behavioral1/memory/2368-13-0x0000000001F60000-0x0000000002002000-memory.dmp	family_zgrat_v1
behavioral1/memory/2368-21-0x0000000001F60000-0x0000000002002000-memory.dmp	family_zgrat_v1
behavioral1/memory/2368-23-0x0000000001F60000-0x0000000002002000-memory.dmp	family_zgrat_v1
behavioral1/memory/2368-27-0x0000000001F60000-0x0000000002002000-memory.dmp	family_zgrat_v1
behavioral1/memory/2368-31-0x0000000001F60000-0x0000000002002000-memory.dmp	family_zgrat_v1
behavioral1/memory/2368-33-0x0000000001F60000-0x0000000002002000-memory.dmp	family_zgrat_v1
behavioral1/memory/2368-37-0x0000000001F60000-0x0000000002002000-memory.dmp	family_zgrat_v1
behavioral1/memory/2368-39-0x0000000001F60000-0x0000000002002000-memory.dmp	family_zgrat_v1
behavioral1/memory/2368-35-0x0000000001F60000-0x0000000002002000-memory.dmp	family_zgrat_v1
behavioral1/memory/2368-29-0x0000000001F60000-0x0000000002002000-memory.dmp	family_zgrat_v1
behavioral1/memory/2368-25-0x0000000001F60000-0x0000000002002000-memory.dmp	family_zgrat_v1
behavioral1/memory/2368-41-0x0000000001F60000-0x0000000002002000-memory.dmp	family_zgrat_v1
behavioral1/memory/2368-45-0x0000000001F60000-0x0000000002002000-memory.dmp	family_zgrat_v1
behavioral1/memory/2368-51-0x0000000001F60000-0x0000000002002000-memory.dmp	family_zgrat_v1
behavioral1/memory/2368-53-0x0000000001F60000-0x0000000002002000-memory.dmp	family_zgrat_v1
behavioral1/memory/2368-49-0x0000000001F60000-0x0000000002002000-memory.dmp	family_zgrat_v1
behavioral1/memory/2368-47-0x0000000001F60000-0x0000000002002000-memory.dmp	family_zgrat_v1
behavioral1/memory/2368-43-0x0000000001F60000-0x0000000002002000-memory.dmp	family_zgrat_v1
behavioral1/memory/2368-55-0x0000000001F60000-0x0000000002002000-memory.dmp	family_zgrat_v1
behavioral1/memory/2368-63-0x0000000001F60000-0x0000000002002000-memory.dmp	family_zgrat_v1
behavioral1/memory/2368-65-0x0000000001F60000-0x0000000002002000-memory.dmp	family_zgrat_v1
behavioral1/memory/2368-67-0x0000000001F60000-0x0000000002002000-memory.dmp	family_zgrat_v1
behavioral1/memory/2368-61-0x0000000001F60000-0x0000000002002000-memory.dmp	family_zgrat_v1
behavioral1/memory/2368-59-0x0000000001F60000-0x0000000002002000-memory.dmp	family_zgrat_v1
behavioral1/memory/2368-57-0x0000000001F60000-0x0000000002002000-memory.dmp	family_zgrat_v1
behavioral1/memory/2368-930-0x0000000004990000-0x00000000049D0000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Suspicious use of SetThreadContext 1 IoCs

Processes:

PO OAU_DECQTRFA00541·PDF.scr

description pid process target process

PID 2368 set thread context of 740 2368 PO OAU_DECQTRFA00541·PDF.scr aspnet_compiler.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

aspnet_compiler.exe

pid process

740 aspnet_compiler.exe
740 aspnet_compiler.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PO OAU_DECQTRFA00541·PDF.scraspnet_compiler.exe

description pid process

Token: SeDebugPrivilege 2368 PO OAU_DECQTRFA00541·PDF.scr
Token: SeDebugPrivilege 740 aspnet_compiler.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

aspnet_compiler.exe

pid process

740 aspnet_compiler.exe

description	pid	process	target process
PID 2368 set thread context of 740	2368	PO OAU_DECQTRFA00541·PDF.scr	aspnet_compiler.exe

pid	process
740	aspnet_compiler.exe
740	aspnet_compiler.exe

description	pid	process
Token: SeDebugPrivilege	2368	PO OAU_DECQTRFA00541·PDF.scr
Token: SeDebugPrivilege	740	aspnet_compiler.exe

pid	process
740	aspnet_compiler.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

PO OAU_DECQTRFA00541·PDF.scr

description	pid	process	target process
PID 2368 wrote to memory of 740	2368	PO OAU_DECQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 2368 wrote to memory of 740	2368	PO OAU_DECQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 2368 wrote to memory of 740	2368	PO OAU_DECQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 2368 wrote to memory of 740	2368	PO OAU_DECQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 2368 wrote to memory of 740	2368	PO OAU_DECQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 2368 wrote to memory of 740	2368	PO OAU_DECQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 2368 wrote to memory of 740	2368	PO OAU_DECQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 2368 wrote to memory of 740	2368	PO OAU_DECQTRFA00541·PDF.scr	aspnet_compiler.exe
PID 2368 wrote to memory of 740	2368	PO OAU_DECQTRFA00541·PDF.scr	aspnet_compiler.exe

C:\Users\Admin\AppData\Local\Temp\PO OAU_DECQTRFA00541·PDF.scr
"C:\Users\Admin\AppData\Local\Temp\PO OAU_DECQTRFA00541·PDF.scr" /S
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:740

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/740-943-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/740-946-0x0000000073F40000-0x000000007462E000-memory.dmp

Filesize
6.9MB

Download
memory/740-945-0x0000000004A10000-0x0000000004A50000-memory.dmp

Filesize
256KB

Download
memory/740-944-0x0000000073F40000-0x000000007462E000-memory.dmp

Filesize
6.9MB

Download
memory/2368-25-0x0000000001F60000-0x0000000002002000-memory.dmp

Filesize
648KB

Download
memory/2368-11-0x0000000001F60000-0x0000000002002000-memory.dmp

Filesize
648KB

Download
memory/2368-7-0x0000000001F60000-0x0000000002002000-memory.dmp

Filesize
648KB

Download
memory/2368-51-0x0000000001F60000-0x0000000002002000-memory.dmp

Filesize
648KB

Download
memory/2368-9-0x0000000001F60000-0x0000000002002000-memory.dmp

Filesize
648KB

Download
memory/2368-17-0x0000000001F60000-0x0000000002002000-memory.dmp

Filesize
648KB

Download
memory/2368-19-0x0000000001F60000-0x0000000002002000-memory.dmp

Filesize
648KB

Download
memory/2368-15-0x0000000001F60000-0x0000000002002000-memory.dmp

Filesize
648KB

Download
memory/2368-13-0x0000000001F60000-0x0000000002002000-memory.dmp

Filesize
648KB

Download
memory/2368-21-0x0000000001F60000-0x0000000002002000-memory.dmp

Filesize
648KB

Download
memory/2368-23-0x0000000001F60000-0x0000000002002000-memory.dmp

Filesize
648KB

Download
memory/2368-27-0x0000000001F60000-0x0000000002002000-memory.dmp

Filesize
648KB

Download
memory/2368-31-0x0000000001F60000-0x0000000002002000-memory.dmp

Filesize
648KB

Download
memory/2368-33-0x0000000001F60000-0x0000000002002000-memory.dmp

Filesize
648KB

Download
memory/2368-37-0x0000000001F60000-0x0000000002002000-memory.dmp

Filesize
648KB

Download
memory/2368-53-0x0000000001F60000-0x0000000002002000-memory.dmp

Filesize
648KB

Download
memory/2368-35-0x0000000001F60000-0x0000000002002000-memory.dmp

Filesize
648KB

Download
memory/2368-29-0x0000000001F60000-0x0000000002002000-memory.dmp

Filesize
648KB

Download
memory/2368-0-0x0000000000A80000-0x0000000000B60000-memory.dmp

Filesize
896KB

Download
memory/2368-41-0x0000000001F60000-0x0000000002002000-memory.dmp

Filesize
648KB

Download
memory/2368-2-0x0000000001F60000-0x0000000002008000-memory.dmp

Filesize
672KB

Download
memory/2368-4-0x0000000001F60000-0x0000000002002000-memory.dmp

Filesize
648KB

Download
memory/2368-39-0x0000000001F60000-0x0000000002002000-memory.dmp

Filesize
648KB

Download
memory/2368-49-0x0000000001F60000-0x0000000002002000-memory.dmp

Filesize
648KB

Download
memory/2368-47-0x0000000001F60000-0x0000000002002000-memory.dmp

Filesize
648KB

Download
memory/2368-43-0x0000000001F60000-0x0000000002002000-memory.dmp

Filesize
648KB

Download
memory/2368-55-0x0000000001F60000-0x0000000002002000-memory.dmp

Filesize
648KB

Download
memory/2368-63-0x0000000001F60000-0x0000000002002000-memory.dmp

Filesize
648KB

Download
memory/2368-65-0x0000000001F60000-0x0000000002002000-memory.dmp

Filesize
648KB

Download
memory/2368-67-0x0000000001F60000-0x0000000002002000-memory.dmp

Filesize
648KB

Download
memory/2368-61-0x0000000001F60000-0x0000000002002000-memory.dmp

Filesize
648KB

Download
memory/2368-59-0x0000000001F60000-0x0000000002002000-memory.dmp

Filesize
648KB

Download
memory/2368-57-0x0000000001F60000-0x0000000002002000-memory.dmp

Filesize
648KB

Download
memory/2368-926-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2368-927-0x00000000020B0000-0x00000000020F2000-memory.dmp

Filesize
264KB

Download
memory/2368-928-0x0000000002100000-0x000000000214C000-memory.dmp

Filesize
304KB

Download
memory/2368-929-0x0000000073FC0000-0x00000000746AE000-memory.dmp

Filesize
6.9MB

Download
memory/2368-930-0x0000000004990000-0x00000000049D0000-memory.dmp

Filesize
256KB

Download
memory/2368-939-0x0000000073FC0000-0x00000000746AE000-memory.dmp

Filesize
6.9MB

Download
memory/2368-5-0x0000000001F60000-0x0000000002002000-memory.dmp

Filesize
648KB

Download
memory/2368-3-0x0000000004990000-0x00000000049D0000-memory.dmp

Filesize
256KB

Download
memory/2368-45-0x0000000001F60000-0x0000000002002000-memory.dmp

Filesize
648KB

Download
memory/2368-1-0x0000000073FC0000-0x00000000746AE000-memory.dmp

Filesize
6.9MB

Download